New intuitive web-based interface allows multi-user access London, UK – November 2016 – Acunetix, the pioneer in automated web application security software, has announced the release of version 11. New integrated vulnerability management features extend the enterprise’s ability to comprehensively manage, prioritise and control vulnerability threats – ordered by business criticality. Version 11 includes a […]

If you’re a healthcare entity in the United States, then you’ll certainly be familiar with HIPAA. Enacted by congress in 1996, HIPAA addresses the security and privacy of health data among a number of other items. The most important aspect for healthcare providers, insurers and other health related entities to take away is the need to keep patient information secure and to know when, how much and with who the information can be shared.

In terms of web site security, the requirements are fairly generalised, unlike PCI standards which specify how data should be secured, HIPAA leaves the security methods in the hands of those it applies to. The main point to take note of is 164.312 as below, but 164.306 and 164.308 are also relevant. You can view these in our HIPAA compliance white paper, or for the full HIPAA documentation view it online here.

164.312 (a) (1) Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in §164.308(a)(4).

So, how can your business or organisation comply with HIPAA? The first exercise would be to identify any flaws currently existing in your web security, which can be done by a professional known as a penetration tester, usually with the help of tools including a web vulnerability scanner. Acunetix is one example of such a product, and even includes a custom report to highlight the areas of HIPAA where compliance is at risk. It then provides details and the location of the vulnerabilities which are putting your compliance at risk.

The HIPAA compliance report in Acunetix

Once the identified vulnerabilities have been fixed at code level, then regularly repeated scanning for vulnerabilities would be a recommended course of action. New vulnerabilities are being identified all the time and web applications are constantly being modified, so web site security is not something which can be addressed annually; it’s a constant security measure which needs to be maintained.